Why is IT so stingy when it comes to risk assessment?

Doing an up-front risk analysis is standard practice in many businesses, where it isn't unheard of for a company to spend the first 2% of a project's budget determining whether to spend the other 98%.

For instance, a consumer-goods company planning to invest $100 million in a new brand of soap might well put $2 million into research first to assess the risk of the soap's failing outright.

When it comes to information technology projects, however, the money spent on up-front risk analyses tends to be ridiculously smallsometimes to where it's pointless. That's the perspective of consultant Doug Hubbard, who says it's the rare company that spends more than one one-thousandth of the total cost of an IT project figuring out in advance the probability of its failure (which means a $100 million ERP project mightmightbe preceded by a risk assessment costing $100,000).

Couldn't this just be a rational conservation of funds by those who have learned ROI predictions are unreliable when it comes to technology? "I reject that notion," says Hubbard, adding he finds it "ironic that it's almost uniquely IT that doesn't know there's a formula for the value of information."

Hubbard says the issue is more one of organizational authority; while a consumer-goods product manager usually has a big research budget at his disposal, a CIO often has none.